Credential stuffing
An automated attack that replays username/password pairs leaked in third-party breaches against unrelated services, exploiting password reuse to take over accounts at scale.
Credential stuffing is an automated account-takeover (ATO) attack in which an adversary replays username/password pairs leaked in one breach against other, unrelated services — betting that a meaningful percentage of users reused the same credentials. Unlike brute-forcing, the attacker is not guessing; they are submitting credentials known to have worked somewhere else.
The OWASP project tracks credential stuffing as OAT-008 in its Automated Threats to Web Applications taxonomy. The attack economics are brutal: success rates of 0.1-2% per credential list are typical, but lists run into the hundreds of millions of pairs (Collection #1 in 2019 contained 773 million unique email/password combinations; the 2024 “Mother of All Breaches” aggregated 26 billion records). At that volume, even a 0.5% success rate yields hundreds of thousands of takeovers.
How a credential-stuffing operation runs end to end:
- Source. Curated breach corpora, sold or freely traded — Have I Been Pwned aggregates the public ones; the underground ecosystem maintains its own.
- Infrastructure. Residential-proxy botnets (Bright Data resellers, criminal networks like 911.re before takedown) and CAPTCHA-solving services rotate IPs to defeat rate limiting.
- Tooling. OpenBullet, Sentry MBA, Snipr — automation frameworks that accept a “config” describing a target site’s login flow and run lists through it.
- Monetization. Validated accounts are resold by category — streaming, retail, banking, corporate SaaS — or used directly for fraud, data exfiltration, or lateral movement.
What blocks credential stuffing:
- MFA — especially FIDO2 / passkeys. A correct password is no longer enough.
- Breach-corpus screening at sign-in or password set (Have I Been Pwned’s Pwned Passwords API is the canonical free implementation).
- Behavior-based detection. Velocity, geo-impossibility, low-reputation ASN — most useful against bulk-volume attacks.
- Hardware-bound credentials — see SSO consolidation onto an IdP that enforces phishing-resistant factors.
Traditional brute-force defenses (account lockout, exponential backoff) are largely irrelevant here: each credential is tried once, against one account, often from a different IP. The defense surface is the credential lifecycle itself, and the user behavior — password reuse — that feeds it.
Related terms
- Password reuseThe practice of using the same password — or near-identical variants — across multiple services, turning any single breach into a multi-account compromise via credential stuffing.
- Multi-factor authentication (MFA)An authentication scheme that requires two or more independent factors — something you know, have, or are — to verify a user, raising the cost of credential theft.
- Single Sign-On (SSO)An authentication architecture where one identity provider issues tokens that grant access to many downstream applications, reducing credential surface but concentrating blast radius.
- FIDO2 / PasskeysOpen authentication standards using device-bound asymmetric cryptography to deliver phishing-resistant sign-in — the practical answer to MFA fatigue and adversary-in-the-middle phishing.
- PhishingA social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.